CCISOs are certified in the knowledge of and experience in the following CCISO Domains:
Domain 1: Governance
- efine, implement, manage and maintain an information security governance program that includes leadership, organizational structures and processes.
- Align information security governance framework with organizational goals and governance, i.e., leadership style, philosophy, values, standards and policies.
- Establish information security management structure.
- Establish a framework for information security governance monitoring (considering cost/benefits analyses of controls and ROI).
- Understand standards, procedures, directives, policies, regulations, and legal issues that affect the information security program.
- Understand the enterprise information security compliance program and manage the compliance team.
- Analyze all the external laws, regulations, standards, and best practices applicable to the organization.
- Understand the various provisions of the laws that affect the organizational security such as Gramm-Leach-Bliley Act, Family Educational Rights and Privacy Act, Health Insurance Portability and Accountability Act [HIPAA], Federal Information Security
- Management Act [FISMA], Clinger-Cohen Act, Privacy Act, Sarbanes-Oxley, etc.
- Be familiar with the different standards such as ISO 27000 series, Federal Information Processing Standards [FIPS].
- Understand the federal and organization specific published documents to manage operations in a computing environment.
- Assess the major enterprise risk factors for compliance.
- Coordinate the application of information security strategies, plans, policies, and procedures to reduce regulatory risk.
- Understand the importance of regulatory information security organizations and appropriate industry groups, forums, and stakeholders.
- Understand the information security changes, trends, and best practices.
- Manage enterprise compliance program controls.
- Understand the information security compliance process and procedures.
- Compile, analyze, and report compliance programs.
- Understand the compliance auditing and certification programs.
Follow organizational ethics.
Domain 2: Security Program Management & Operations
- For each information systems project develop a clear project scope statement in alignment with organizational objectives.
- Define activities needed to successfully execute the information systems program, estimate activity duration, and develop a schedule and staffing plan.
- Develop, manage and monitor the information systems program budget, estimate and control costs of individual projects.
- Identify, negotiate, acquire and manage the resources needed for successful design and implementation of the information systems program (e.g., people, infrastructure, and architecture).
- Acquire, develop and manage information security project team.
- Assign clear information security personnel job functions and provide continuous training to ensure effective performance and accountability.
- Direct information security personnel and establish communications, and team activities, between the information systems team and other security-related personnel (e.g., technical support, incident management, security engineering).
- Resolve personnel and teamwork issues within time, cost, and quality constraints.
- Identify, negotiate and manage vendor agreement and communication.
- Participate with vendors and stakeholders to review/assess recommended solutions; identify incompatibilities, challenges, or issues with proposed solutions.
- Evaluate the project management practices and controls to determine whether business requirements are achieved in a cost-effective manner while managing risks to the organization.
- Develop a plan to continuously measure the effectiveness of the information systems projects to ensure optimal system performance.
- Identify stakeholders, manage stakeholders’ expectations and communicate effectively to report progress and performance.
- Ensure that necessary changes and improvements to the information systems processes are implemented as required.
Domain 3: Information Security Core Concepts
- Identify the criteria for mandatory and discretionary access control, understand the different factors that help in implementation of access controls and design an access control plan.
- Implement and manage an access control plan in alignment with the basic principles that govern the access control systems such as need-to-know.
- Identify different access control systems such as ID cards and biometrics.
- Understand the importance of warning banners for implementing access rules.
- Develop procedures to ensure system users are aware of their IA responsibilities before granting access to the information systems.